Analysis
-
max time kernel
501s -
max time network
502s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
13-09-2024 01:15
General
-
Target
Nitro Lifetime Method.txt
-
Size
3KB
-
MD5
39356142ca258828ac8b547eb9ffc18f
-
SHA1
3b3ad91d1b4c31d24289a2174a45ece663ddf5b2
-
SHA256
d2a95df36aa60c1581c4dde74ac7ac43cb88a499f7f5eca8e964a93a6fbb00f3
-
SHA512
046c296691f28319cfcbeca51be1f4a4eaad21586d85368fb0703b85da46d7be8c6d1224c23802afe1e095bb7e973a626621856fe43b13ad81841032506c8ba7
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
CryptoLocker
Ransomware family with multiple variants.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 16 IoCs
-
Loads dropped DLL 10 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Drops file in Windows directory 24 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Location Discovery: System Language Discovery 1 TTPs 31 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies registry class 3 IoCs
-
NTFS ADS 4 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 61 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\NOTEPAD.EXEC:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Nitro Lifetime Method.txt"1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe649146f8,0x7ffe64914708,0x7ffe649147182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,5499973877764300241,17065986323535824450,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,5499973877764300241,17065986323535824450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,5499973877764300241,17065986323535824450,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,5499973877764300241,17065986323535824450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,5499973877764300241,17065986323535824450,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,5499973877764300241,17065986323535824450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,5499973877764300241,17065986323535824450,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,5499973877764300241,17065986323535824450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,5499973877764300241,17065986323535824450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,5499973877764300241,17065986323535824450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,5499973877764300241,17065986323535824450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,5499973877764300241,17065986323535824450,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,5499973877764300241,17065986323535824450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,5499973877764300241,17065986323535824450,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5896 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2136,5499973877764300241,17065986323535824450,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5900 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,5499973877764300241,17065986323535824450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,5499973877764300241,17065986323535824450,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,5499973877764300241,17065986323535824450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,5499973877764300241,17065986323535824450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,5499973877764300241,17065986323535824450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,5499973877764300241,17065986323535824450,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1824 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,5499973877764300241,17065986323535824450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,5499973877764300241,17065986323535824450,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6584 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,5499973877764300241,17065986323535824450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6400 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,5499973877764300241,17065986323535824450,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6876 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault5d7b6c15h5e65h4883h833bh5681c1c931b31⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe649146f8,0x7ffe64914708,0x7ffe649147182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,3153511610319990551,13506351704552125367,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,3153511610319990551,13506351704552125367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:32⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault1860c4a9hea98h4751h9b44hb09d71c7770d1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe649146f8,0x7ffe64914708,0x7ffe649147182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,9964619779065648850,13508350347334808357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:32⤵
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1314925359 && exit"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1314925359 && exit"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 01:37:003⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 01:37:004⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\DC19.tmp"C:\Windows\DC19.tmp" \\.\pipe\{4636A63E-B49B-40D4-A64F-886D5D65C3CF}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe649146f8,0x7ffe64914708,0x7ffe649147182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,582729308431318251,15995121310384689326,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,582729308431318251,15995121310384689326,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,582729308431318251,15995121310384689326,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,582729308431318251,15995121310384689326,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,582729308431318251,15995121310384689326,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,582729308431318251,15995121310384689326,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4560 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,582729308431318251,15995121310384689326,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,582729308431318251,15995121310384689326,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2892 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,582729308431318251,15995121310384689326,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,582729308431318251,15995121310384689326,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,582729308431318251,15995121310384689326,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,582729308431318251,15995121310384689326,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2084,582729308431318251,15995121310384689326,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5564 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2084,582729308431318251,15995121310384689326,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5156 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,582729308431318251,15995121310384689326,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,582729308431318251,15995121310384689326,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5480 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,582729308431318251,15995121310384689326,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,582729308431318251,15995121310384689326,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6392 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,582729308431318251,15995121310384689326,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,582729308431318251,15995121310384689326,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,582729308431318251,15995121310384689326,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2768 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,582729308431318251,15995121310384689326,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,582729308431318251,15995121310384689326,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6532 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,582729308431318251,15995121310384689326,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3652 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,582729308431318251,15995121310384689326,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,582729308431318251,15995121310384689326,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5080 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,582729308431318251,15995121310384689326,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\Downloads\Annabelle.exe"C:\Users\Admin\Downloads\Annabelle.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault87261170ha7a9h45eehbd80h856ef6d0bbad1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe649146f8,0x7ffe64914708,0x7ffe649147182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1360,10473093744062149756,13144722373158064681,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:32⤵
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\CryptoLocker.exe"C:\Users\Admin\Downloads\CryptoLocker.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
-
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000021C3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD55bfa51f3a417b98e7443eca90fc94703
SHA18c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA5124cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399
-
Filesize
11KB
MD552c467f66e9ab19aeaf4b37bc2eccece
SHA12e704cc345c548354cf5c810ba752ebb4b641e02
SHA256b6315c3b0325905cecedbf8276f143bdeed3f5420690af98d9b75d75556d6081
SHA512aee7110ce6bd6b8a9ef4730a904246030528c44703f51d67e8e924de4de7d56e9c4867ebbcefcf81b549f03c837242d8c0a323e12124b7f74c032b2abf052288
-
Filesize
152B
MD5ecf7ca53c80b5245e35839009d12f866
SHA1a7af77cf31d410708ebd35a232a80bddfb0615bb
SHA256882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687
SHA512706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696
-
Filesize
152B
MD54dd2754d1bea40445984d65abee82b21
SHA14b6a5658bae9a784a370a115fbb4a12e92bd3390
SHA256183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d
SHA51292d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1
-
Filesize
152B
MD5f9f412997b287277bacde5c4ca557464
SHA16ed03e33a1e16bada9b0eaa69b8c88c04ae00feb
SHA256a31798218e6dcda641e476bb4387cf3f49a16ae307c279ee24e7fba0ec5126d4
SHA51213925820737eac6e3316359815da12bad2d3307b80086e380a15e70795e6134d4ba85a54f883bbedab8f298d5bfbc6d01aae7478a7ed60e32d2f1d9f6b0970a9
-
Filesize
152B
MD51206c09820afd4235386334cec99dbb7
SHA13c41afd9a22d313802647a86d9fd08bc395ba7a1
SHA25681ec9cad879c318085ba193b5fcae2f8e702e01128a5d30c834bb48ffc5dc859
SHA512adb47893c57dec894f18fa5f4cf3ab004f304b557aa895ae28626e066fb6d862f6dc15bc454d1898d66832c17c81619b7a992a823b5ef73381838f04202b717b
-
Filesize
3KB
MD58e13e1f2b193fedd45cb4448e2bd65e7
SHA16930ab02fb4c3d3946d7f0212a2492d37e4c0dce
SHA256de55f6ca082bc9eb22437dbed3bcbb33009e4a52031a4b6837e7630389a01e5d
SHA512e786f0937dd3f44904a326d534ef4a78a35907c841287d671583e38675f7cd7efdd2f1d3571087e2562812231ea724a8df6668b9e708f974c97be06672797603
-
Filesize
3KB
MD5f903ab7c923183ab6f74d3c92f1dd9e9
SHA19f37f12f97a46e3c8632510af9a54c6ae2681d63
SHA2565c76e2c6def0831afa965ce76ee3cf5f4abbe39dd47809a54accb6c4ed123b69
SHA5126792e6e082a133ca34d35d168cc6bde0d8b06200071989547f0916e1bb1e70020fbf8da55b398b75130a2b47c9df9ceb7602db580e0d87fb27414533dec39470
-
Filesize
3KB
MD59cffa98285fcc7e16a9325297f8de858
SHA12abdace9b9a588ebe674c3b17f14c4e6d609d090
SHA2561e0108a9e1b263475c59b27bdc7cbd5a0b9bc55594006e02619cbeba3f482386
SHA512ef8d1b9efee280510744fd49db42cba6aaa4ae2d7b37a2a5b9cbd7e70be115f01be7bb5d5580ac70191878c0c9fe1357b54cccfd4f79b026514301fb673d0dc6
-
Filesize
1KB
MD5c742f7ac9f8e579f0c64cdf297d9c6a9
SHA1675cceb094b58bcfe6ecc14b1f50010f537e362d
SHA25659c9db490639ffd21eb8d461a5abfa7db7ded5eb1a788f99bcda8f3cc7f0108a
SHA512a81ba45aaddc60983d805fab502889e04a5f8c12770a42aa7e5f70fa41c8751ed327a1868ceebd86b55f4c8323743d248e968edd2d4d4b20650c6f625bc18915
-
Filesize
1KB
MD56ff009fbc4adbc99e8f72d629c251e8c
SHA145e174b73e562d482fee387b8a4101a64a833151
SHA2560519a3f3633a4d0383cd67d138f382296b0d9b291f4773aa483853443ae39684
SHA5126f26e480a26b56d3b39b83d48260f76113e30ad493c4dd73563bbbf3d158154b5a1c9140f1242bdc47e6119f721281a74d5a970499eb428f7f69e1d0ab5f0dc7
-
Filesize
1KB
MD56d0a2e7638d8cb92d2fea605d704b8ed
SHA155e92f0d0c8e49ad1d2af515d4bc0d986b83178b
SHA256af871130480eaad8f9138a71bebf59d5ef880925ac5787e6d1966f5135b30c71
SHA51235e95813641d969614ebb53b76e229700b7ccefd87f5c523db557fc3bc820b008907bff8912ba62f2e52e736184c36e9baa41f68fa6ee232eacc214294d64076
-
Filesize
1KB
MD5f1eb24ab6e931aebeb4b64cfdfa5e9f9
SHA180bbcdc1dbaed8c8d09d71ef2ebb779a1a7ea535
SHA256e8cadb6ae9112fdb1213bfe2a1e60809afec09e46b7b9efd0d2d27f6fb008c81
SHA5125c1cf5d3520499caf4ec802e3581332c66a4afc8c7fcc1ebc142276f3a8f3313de87148200b1226126a4d9435d5547d7ddbb0bd0cc2e9e538e4590cab31a65fe
-
Filesize
7KB
MD5fe7aabca450e337720abca45b95f0ebe
SHA1c1c823f92d6857943c204c235af38b61e4f7af74
SHA25627396976cc50b9ef19e7231256b766d39772de4955b3620e366d839788085f88
SHA512d0c025640df3c4622f571dd434459df5a7c96f9e6272f35837d1bccdfa9850319123fd7bac3307cc33552916f50078150bba07937336b1417ace85cedc952739
-
Filesize
6KB
MD554ec2e785b248065c892cae93b8facff
SHA1accab327b832f0f9c1858f8d9a95b8488bcd6be4
SHA2562f50b4b19e8b9769cf2b1d75cede251245bf3557a09af904b2f24f5bd41cb9d2
SHA5123469a82c8beef6c8d99eae070804076a67307dae418b796b1629044dff24dd73175cfc21bb6eca48f94bf0cadb89b0012ca7c6e4f0da6b18e4c4228f00e3fbfe
-
Filesize
7KB
MD555c1f0ad6e06c3c7ccc4f803fa9a3b73
SHA1eb5669bfb743398bf74b02b0d2170412c7cc3bd4
SHA256481c01782ee08ac277ce09cef9900b9d93a014028f80694210549b9b667c83d4
SHA5120514e195444d14ee50d18f6ecb4ab8fc96269f30b0449926b8fd416c3171a698c689f54b970cb7b010ce06f2d83a853f810a216306918eca40c5386c317f75f3
-
Filesize
7KB
MD5ef2cd46caf5d5bbaac925297d9c97455
SHA1c1ca87cc15425f0f715b5cefd739175a3642ab7a
SHA256247f6940925b918cf8ee79176a6548d4e0fb518ca26c9d7c62407c24208bcc9c
SHA512f6c8d77e73d8809e3196cc44ad22daf13149af556d188d7dc04fae7494f8ad81427eb8256dc4e66392d55a3215a508f456072980e879612ed331b2dc44eb5cf7
-
Filesize
5KB
MD5737d38aec1a8419397825bbfe19b0349
SHA155f24b71488c544b8351cf681b8b544383d1bdf5
SHA256804c332a7f3160b4bc15093755f082212f0101f33b5ea3d4f599fe321ada2e9b
SHA5129db530cbce2fdeac2af35b96419bbffefdb4ae402133ade5d1d0d243ee019cd17b9e0144ffe09547f8e6a8c63630ed0de3fe96af039895401b75a079408b004f
-
Filesize
7KB
MD56e790cc1d68fb2010fd70fccc245e0e1
SHA1af68f42eb6b4db4d6e4670d5d5c148a881a6359a
SHA256aede805af5c599e01ad57878d89e30ed72e9dcb36fc6878daf4580e8ce17e763
SHA5125f194c6b8b4347e3faabce51179fdc7d613c8b7ec745a426ee145074e0ae2f6513726dccd409f89836ef6637d923ea48ad1439334f57c17d2c56aedc7c773da4
-
Filesize
7KB
MD5e05b7dec66c42b0c59b58f7bde4bf32b
SHA14236b9494a2b8829ad5a72d00df318170365c427
SHA256c1458e5bc4004593ac70d8a688f397fab58c8790c76db494b28fe562142ed78c
SHA5128c740588734f360bf679a4e09ac0ac298b3f4ffdbd13cf806788ef146c5633dbe9028f0a61c7f6a3dfa3fa05edbeb4883e67d745b28e6aaffcac48d0b14df53c
-
Filesize
6KB
MD526f7a4505f5196c03f6d8279636560df
SHA1dbb9515315ee4bfad444c58d5c0f68fef8108957
SHA256478c6496d8791c326ae767d904013db941bcfdbb99632fef03522eb250b32f08
SHA51244981b4f014d4988ac4fcb25d54bbfb37e2e0123a16645fb113499fea25ad190db3e45011467e7ac5a0ba2f82e721da82a7cfe40b0974415e8dd8fb7472a2947
-
Filesize
7KB
MD574a4ae59e34934bad9cfd26903919587
SHA1a913963836463417b21967623ac8c34f0a668414
SHA25687b5b3ac3e252364cf5abb9975bba104395ee5943f15ca4328d6bf5674faf533
SHA5129502a5d61777a4d681d492e76b149538bd4a908b1aaf6310063f06445a97fc552dda09b3b0be9b418bd9354260e2cc96c74289805628df8a682db6c492edb2a2
-
Filesize
1KB
MD5bd028035223f861bfce8f7a236b17578
SHA18a31577c961432028c2af447f361b6f6d3bac840
SHA256643c51c1a4cec8e85a88df564a21dbff320ed4ad2a49fa9822c6a6ff12b9fc7b
SHA512ef6dc06c33226ba558aa49826e807112c073010259ae1593b97a547b98676b8e2d347dfb30d87873ee2822c2b531f02f2a6c5820e30e08a16eb897e8ca175707
-
Filesize
1KB
MD539c23d9179a8f7ded610470198489a07
SHA14e6c205b2082c4ac9e336c890349f94e21104872
SHA256fd51038f9fd44485ad100ab5cefce8a3d32bc6000c7dec17a1c1e56a7d4e3621
SHA512238c27127a74b2eb1335c55b415c1c49dfb11bbb88b9bc453519afc370b989b0600677c7cb5f9a68909710bc793c2a597679e0cb08c42066cf3d55448da657c3
-
Filesize
1KB
MD570ce4bbee4a03a499f1e865f9caf9496
SHA1403b65e3181904f663701a7109f5b9b190026e45
SHA2564553dc6aaee5450c840ea20776772f32f57c828a7bf6a6a5a1044e7bfad8b78b
SHA512d6d70057d9d5bad1eeb8ee01f64ed35c37c665cd0ab41f93dfdb3e93fe68a56d87961357218bb2b4755e8bc5346fd6dbce9bb7780783ac6607ff7549ed4cceb8
-
Filesize
1KB
MD56104408cf0bdb60bd9b4da335591a72e
SHA13e076b66c769ddba140b95ce7562aa4f84d98424
SHA256e0f31e4169b167d697337e905eda3259a594ad3c63277ac4e148ae0f94c5726e
SHA5126f097fd3b0ee0053ce5005fa0f275e75331601f11935fd649e3e56405afd17e0a9bf403a1f0d70730e15b5bbb33034381dd87de35cdfd22e17e17a945b8a6c79
-
Filesize
1KB
MD5d591597a57b5372e3cb1318d9954122c
SHA1c5e4d888329552fa126f65291173d21653260d23
SHA25669b7bcb4f4c6808bd7fdcff242a0b3e9fd6ffc9783bd175478468db87ccf76e6
SHA5122ffffca6b83717bfac44a3041e6375719452bc9f68e7f7018de31732f2a9a3103360d32e616bfff21efdee8b261c022d186d4ab0d8a3dbcce5f1011247bae8fe
-
Filesize
1KB
MD5a8a10ee3289711d442322f2f665d7fbb
SHA1445a9ea8e1879708a0df3b5967234a1ce28de279
SHA2564284be3682134c04339e596a593326a6cba8cf5658e316a25b695d6c13f16715
SHA512d47b966ba066ba929f27db654a0a92c64cb33a510c7c3eb29852883c33d90f6a1dabf0fe2b7a366d9af7d705153e009ce6c6b92ffced0ccf6ab3ebd2208ca735
-
Filesize
1KB
MD5283e60ba827d65881bf31e0ad7e04f75
SHA17a3b75452d94d7e520c1ea6e343d940d6dfca2df
SHA25635a79f09fd6ced5c45ee813f8e3bd02a9c70c9bc2d4f3d6a8772c7f3b3690119
SHA5124ffb86d8d6bc65ff75afe7aa99de34eed2efc1877d24c3e65712ade28f8fbaa68f1b832e4e4ac210e53746cabbfa383873f92135b0d3d6d11b71e6c4927fe393
-
Filesize
1KB
MD55f21114a2af545556537f5dcbc1f7ccb
SHA139f1bdec2adcbaa9eb86b6d8cd7d2f087fd7d536
SHA2566d15b712c8cfa25203ae16d79b63c94bae1485c64f184358b79356748dfefdce
SHA512d2295ed36eb0012379d5442038f5ba7f8e2f4fba1aafa669ed367fafe850b8af22a58833f1218cc7f8d187ac18ad0f9b5e3693cfaf797ed00b4b24f0746e3027
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
Filesize
11KB
MD58cb1075c717dbc04e01dc25a454ec6cb
SHA1d3c3c5a426dbe68b69d7d47bd9bce0f459cadac8
SHA25631ab4b3672da499fd37bddfbd183ad305a32108b6e7d5697e41e12415317a68e
SHA512efa86e7a895c444cb8f71caadd0770510de104a5c70a38e78427e1eaf720b2e89c3def3191659c70ca1d4a4e719f9201935e6c5c2a6380272c4389ad590071d5
-
Filesize
11KB
MD580227acf5320c2f07aff517dca20226e
SHA127471c01ee57ca3268d3c14bd4a696983d84f9d8
SHA2566a2b116eeb07f9930a5c89a5c8da3e77a65602d2ffed8c584d196187371c6524
SHA5127c7b9d1cb0e3678dd150f22b7e3110f18fac0f9c8e256097109ce8fed29ed0274d32f35730b0840264ffd346e8823c42afb9c83be6a5ee38a4b653a8f0a9719e
-
Filesize
11KB
MD58196c7eaf99b266265b5e82016b75a7c
SHA1fd34f59d705cc2293d0c8f93083e9fd0755dff26
SHA2564e53009293cf78383308328191a0244198de4a1f32a0c8c923ae56bfe8c13f28
SHA5124330356d34375f01874dce1091ea750ee1f9a3976b1d9848a1b5880e1d818bcba40bbfe982db363a9949bb0f773690a442b348d6bdca5218ca69613ce9529b13
-
Filesize
11KB
MD563113929bf2e82f4df80d11af251875c
SHA18ee344d48eeeead01ed87f2bcb3c6dc1f96916d8
SHA25637be68cedd3270252ac09a5f2605e57fbdd5cf93844cd6eb627cc285f1146b3f
SHA512bc4b16c819cd9c979a4044440e3bab08918df901c732b2cdc16241a49e29bb78060b26c09349b077546698f3e436e95de18bc114fedf66706a6403a36eee447b
-
Filesize
11KB
MD5a01fdde035d929ffa66617dd03fc3c02
SHA1d4c1933d3a2e712a1e92ba4daf49109334644fa6
SHA256bd25e9585d14897bf5ce4114ce314a0f9a5b3f4314432ec0761cdbcd64774515
SHA512cd21a0e8b2f71d476e66e60a6d55fa20bc8aaff83291bfa44b13b536df04ceb12aa05898d24fabfb8ce458a0dcab69f527bb9b429150399fcd71a4836e25345b
-
Filesize
10KB
MD56916df4bc3ff65794ecfdc1f477ef420
SHA1ce2a83a00360b3a0a13b5c787f5fec6db0d7b01f
SHA256d5ccf76e672b556f60ee62293904c4719328bfafe937037913a36075d66b293a
SHA512ef45d1f0288f0951abbc06974ae8a627ae043f807bcfd8425a42d4e20797ba55c688f3e6853bbac17ecfd420c8af2b8936b7afdb4a792c49dcf049404ad604c6
-
Filesize
11KB
MD59791bb639d91928e356497d0aeb72568
SHA11ba93b7f87058619b75e0d4cc6060501e16752f7
SHA2568a821c35d5ffd03a60edf198f372581b8be06826818a59c74030b00c16934a1d
SHA5129a0375714e59ee6624053a6068b3eba134dc2b1a3da0f4c8ec2475a5741d896a2fc0536c9603e6974d08386d8cfe869c6d425b7c7aa05f9ae87df34aace6ba5f
-
Filesize
264KB
MD5ea356df2713d87b30fb51890e62cc36c
SHA1ba45f2fbb7abdd408b21d3f7bcd95bcfe2ce1062
SHA256678fa7158e5106a17d5d41589c9974634fa282dff96c8fa60df9b6b8ebaec61f
SHA5127257fc4ce2f876787873d4ec2f0cf2b6ba3b661f743bc7c0ee836d5776a7e811012f3c854699ef411ddd6048187add0a99548df1b2bcfefa9c34283852752b4e
-
Filesize
431KB
MD5fbbdc39af1139aebba4da004475e8839
SHA1de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA51274eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
Filesize
15.9MB
MD50f743287c9911b4b1c726c7c7edcaf7d
SHA19760579e73095455fcbaddfe1e7e98a2bb28bfe0
SHA256716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac
SHA5122a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677
-
Filesize
338KB
MD504fb36199787f2e3e2135611a38321eb
SHA165559245709fe98052eb284577f1fd61c01ad20d
SHA256d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA512533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113
-
Filesize
401KB
MD5c4f26ed277b51ef45fa180be597d96e8
SHA1e9efc622924fb965d4a14bdb6223834d9a9007e7
SHA25614d82a676b63ab046ae94fa5e41f9f69a65dc7946826cb3d74cea6c030c2f958
SHA512afc2a8466f106e81d423065b07aed2529cbf690ab4c3e019334f1bedfb42dc0e0957be83d860a84b7285bd49285503bfe95a1cf571a678dbc9bdb07789da928e
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
16.0MB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB